- A filing by Coinbase has revealed the true extent of its latest data breach: 69,461 customers had sensitive data stolen when overseas-based customer support staff were bribed.
- The breach was made public by Coinbase last week, but the precise number of customers impacted wasn’t known until now.
- Coinbase has been criticised for its handling of this breach, with some suggesting the crypto exchange delayed informing the public until changes were made to its user agreement limiting class action lawsuits.
Coinbase has confirmed in a regulatory filing that almost 70,000 customers have had sensitive data stolen in a huge data breach involving the bribery of its overseas customer support staff.
The filing, which was made with the US state of Maine’s Attorney General’s Office, showed that 69,461 Coinbase customers had their data leaked — 217 of which were residents of Maine. Coinbase said this amounts to about 1% of their customer base.
The filing describes the breach as “insider wrongdoing” and states that impacted individuals have been offered one year of free “credit monitoring and identity protection services from IDX.”
The leaked data included names, contact details, social security numbers and identity documents. This data was used by criminals to launch social engineering attacks against Coinbase customers, reportedly resulting in the theft of millions of dollars.
The criminals behind the breach also tried to extort Coinbase to the tune of US$20 million (AUD$31m) worth of Bitcoin, which the exchange refused to pay.
This breach of Coinbase customer data was first revealed last week, but until now it hasn’t been clear exactly how many customers were impacted. Many customers now fear they may become the target of further crimes, such as identity theft and targeted attempts to steal their crypto assets.
Related: Binance and Kraken Thwart Social-Engineering Attacks Mirroring Coinbase Breach
KYC Doesn’t Stop Crime and May Be Unconstitutional: Coinbase CEO
In an X discussion about the harms caused by companies not protecting customer data, Coinbase CEO Brian Armstrong pushed back against know-your-customer (KYC) compliance measures on crypto exchanges. He said collecting KYC information is ineffective at stopping crime and cryptocurrency exchanges don’t want to collect it but they’re required by law to do so:
We don’t want to collect it, and our customers hate it. We are being forced to collect it against our will. And it’s not even effective at stopping crime, if you look at the data behind it.
Brian Armstrong, Coinbase CEOArmstrong also suggested KYC and anti-money laundering laws, in addition to being ineffective, may also be unconstitutional.
“My hope is there is a constitutional challenge to BSA/AML laws, or congress decides to review it at some point,” he said. “We’re in a much different world than when it was enacted in 1970, and it arguably violates the fourth amendment, protecting us from unreasonable searches and seizures.”
Many jurisdictions around the world (including Australia) require that customers verify their identity with cryptocurrency exchanges before being allowed to trade. This means sharing sensitive data such as photographs, identity documents such as driver’s licenses or passports, and contact details. This data is required to support efforts to combat money laundering on these platforms.
However, holding such data puts a huge burden on companies to manage vulnerabilities related to cyber threats, human error and malicious intent. In this case, criminals bribed overseas-based Coinbase customer support staff to give up sensitive customer data obtained during the KYC process, effectively circumventing any technological security measures the exchange may have had in place.
Coinbase Revealed Data Breach the Day Before User Agreement Changes
Coinbase’s handling of this data leak has been widely criticised. Largely because the crypto exchange decided to go public with it on May 14, just one day before making changes to its user agreement that limit class action lawsuits and require all class actions be filed in New York. These changes apply to all lawsuits initiated after May 15.
The timing of the changes to its user agreement suggests Coinbase may have delayed informing the public of the data breach until they’d made it considerably harder for their customers to take legal action.
Crypto researcher Molly White said that since the data breach has become public, five class action lawsuits have been launched against Coinbase, all of them initiated after May 15 and two of them filed outside of New York.
Related: Ledger Warns of New Scam Involving Fake Letters Asking for Recovery Phrases
Armstrong defended Coinbase, saying the exchange had warned users since April 11 that the changes were incoming. He claimed that this proves “it had nothing to do with the data breach”. Armstrong also denied the changes were intended to limit class action lawsuits, but rather “just made the user terms consistent”.
Credit: Source link
